Manage the security relationship between two forests and simplify security administration and authentication across forests. For more information, see Forest trusts.

To provide additional protection for the Active Directory schema, remove all users from the Schema Admins group, and add a user to the group only when schema changes need to be made. Once the change has been made remove the user from the group.

Restrict user, group, and computer access to shared resources and to filter Group Policy settings. For more information, see Group types.

Some default user rights assigned to specific default groups may allow members of those groups to gain additional rights in the domain, including administrative rights. Therefore, your organization must equally trust all personnel that are members of the Enterprise Admins, Domain Admins, Account Operators, Server Operators, Print Operators and Backup Operators groups. For more information about these groups, see Default groups.